Vista SP1 to Include Common Security APIs for Partners

A spokesperson for Microsoft Thursday evening characterized as "grossly inaccurate" reports from earlier in the day, including from Reuters, stating that a technical glitch in the company's Live Meeting services led to a dissolution of a meeting between Microsoft and security products vendors.

These stories were wrong, said the spokesperson, on three major counts: 1) the exclusivity and number of vendors attending the meeting (20 security vendors participated in this one meeting, possibly including Symantec and McAfee, though this was one of several such meetings); 2) the subject of the meeting (it did not involve a possible revelation or licensing of PatchGuard code or methods); 3) the damage caused by the technical glitch (it only delayed the meeting for 15 minutes, after which, representatives from all 20 companies remained on the call).

The actual subject of this afternoon's Internet conference, the spokesperson told BetaNews, is Microsoft's intention to invite nearly 150 security products vendors to join it in the development of an open security services API for Windows.

Such an API would not open up PatchGuard, the kernel protection system the company currently plans for Windows Vista, the spokesperson pointed out emphatically several times during our discussion, nor does Microsoft have any plans to ever open up PatchGuard.

"Microsoft continues to believe the kernel must be protected from unauthorized access," BetaNews was told. To that end, the company proposes "a process for developing methods for software that works alongside PatchGuard."

Such a process, if initiated, could take several months, by Microsoft estimates, with the goal being to produce the results of this initiative in time for the release of Vista Service Pack 1. Though the spokesperson used the phrase "the SP1 timeframe" to refer to the release of these services, Microsoft declined to attach a time to that timeframe.

The challenge before participating security partners, BetaNews was told, is to develop a common list of requirements for the type of protection they want to be able to include with their own products. With that list in hand, the vendors could work along with Microsoft to develop an API that would enable them to achieve their individual goals.

Assuming the first stages of negotiations are successful, vendors and Microsoft could conceivably negotiate a timetable for implementing new security functionality, perhaps rolling out service extensions in beta form as they are completed.

The spokesperson declined comment on vendors' relative openness to the idea of revealing their respective product goals and plans, in the interest of developing a common API. Comment was also declined regarding whether vendors may be preparing to make a joint statement following the end of negotiations on this effort, or whether Microsoft plans to make a unilateral statement.

This afternoon's meeting -- the one with the now-celebrated Live Meeting glitch -- was merely one of several such meetings which were scheduled to take place between October 19 and October 23, just prior to Microsoft's involvement in an upcoming RSA security conference.

In all, the majority, if not the entirety, of Microsoft's slate of security partners were invited to participate, apparently weeks ago. This scheduling has been known for some time, the spokesperson said, and was not at all specifically intended to address recent complaints from Symantec and McAfee - again, contrary to reports. In fact, those complaints may not even have been on the agenda.

At the end of Thursday, representatives from all invited security vendors on today's docket were able to attend, BetaNews was told, and no company was locked out, although individual members of some companies may have continued experiencing glitches. A timetable for the patching of Live Meeting, one might suggest, could be the subject of a new round of meetings entirely.